>> I don't know if anybody pointed it out before... 

yes i did, see http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html


----- Original Message ----- 
From: "Adam [ckkl]" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, March 23, 2003 3:10 AM
Subject: IE - reading local files


> Hello,
> 
> I don't know if anybody pointed it out before...
> 
> While playing with IE [6.0] I found out that 
> it is possible to read local files with a little
> help of user...
> 
> How it works?
> 1. IE lets you define style for the INPUT type=file tag
>     including clipping region what makes possible to 
>     hide the "Browse..." button.
> 
> 2. IE lets you handle 3 events
>     - ondragstart
>     - ondrag
>     - ondragend
>    for misc  tags like DIV, INPUT, IMG and others
> 
> 3. IE lets you change the content of the INPUT after
>    the user started to drag it
> 
> Screenplay:
> - user selects text in source INPUT
> - user starts to drag text
> - ondragstart event is fired
> - the function takes control
>   and changes the content
>   of the source INPUT
> - user drops the text in
>   the uploading INPUT control
> - ondragend event is fired
> - function takes control and 
>   submits the form at once
> 
> Exploit:
>     - create the INPUT uploading control (type=file)
>     - change its style to make it look innocent
>       [remove border, clip the 'Browse...'button]
>     - create the source INPUT control and make it 
>       look like an innocent text [no borders, no focus]
>     - write a simple handler for drag* events
>       - it will change the content of the source INPUT 
>        control to anything we want, f.ex.local filename
>     - seduce user (f.ex. some kind of drag&drop 
>       JavaScript game) to select text and drag it 
>       into uploading control area and when
>       it's done (ondragend), submit the form and this 
>       way send the file to the server
> 
> Proof of concept:
> http://www.sztolnia.pl/hack/dragquIEn/dragquIEn.html
> 
> Best Regards
> Adam Blaszczyk
> reverser, coder, writer & researcher  [VX/AV]
> http://www.symantec.com (Localization Engineer)
> http://www.mykakee.com (Home page)
> Whatever I say in this e-mail is my private opinion.
> 

Reply via email to